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Abstract 

Several logies for expressing eoalitional ability under resouree bounds have been 
proposed and studied in the literature. Previous work has shown that if only eon- 
sumption of resourees is eonsidered or the total amount of resourees produeed or 
eonsumed on any path in the system is bounded, then the model-eheeking problem 
for several standard logies, sueh as Resouree-Bounded Coalition Logie (RB-CL) 
and Resouree-Bounded Alternating-Time Temporal Logie (RB-ATL) is deeidable. 
However, for eoalition logies with unbounded resouree produetion and eonsump- 
tion, only some undeeidability results are known. In this paper, we show that 
the model-eheeking problem for RB-ATL with unbounded produetion and eon- 
sumption of resourees is deeidable but EXPSPACE-hard. We also investigate some 
traetable eases and provide a detailed eomparison to a variant of the resouree logie 
RAE, together with new eomplexity results. 
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1 Introduction 

Alternating-Time Temporal Logic (ATL) [4| is widely used in verification of multi¬ 
agent systems. ATL can express properties related to coalitional ability, for exam¬ 
ple, one can state that a group of agents A has a strategy (a choice of actions) such 
that whatever the actions by the agents outside the coalition, any computation of 
the system generated by the strategy satisfies some femporal properfy. A number 
of variations on fhe semanfics of ATL exisf: agenfs may have perfecf recall or be 
memoryless, and fhey may have full or partial observabilify. In fhe case of fully ob¬ 
servable models and memoryless agenfs, fhe model-checking problem for ATL is 
polynomial in fhe size of fhe model and fhe formula, while if is undecidable for par¬ 
tially observable models where agenfs have perfecf recall Q. Addifionally, even in 
fhe simple case of fully observable models and memoryless agenfs, fhe complexify 
increases subsfanfially if fhe model-checking problem fakes info accounf models 
wifh compact (implicif) represenfafions [5^. 
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In this paper, we consider an extension of perfect recall, fully observable ATL 
where agents produce and consume resources. The properties we are interested in 
are related to coalitional ability under resource bounds. Instead of asking whether 
a group of agents has a strategy to enforce a certain temporal property, we are 
interested in whether the group has a strategy that can be executed under a certain 
resource bound (e.g., if the agents have at most hi units of resource ri and 62 units 
of resource r 2 ). Clearly, some actions may no longer be used as part of the strategy 
if their cost exceeds the bound. There are several ways in which the precise notion 
of the cost of a strategy can be defined. For example, one can define if as fhe 
maximal cosf of any pafh (compufafion of fhe sysfem) generafed by fhe sfrafegy, 
where fhe cosf of a pafh is fhe sum of resources produced and consumed by actions 
on fhe pafh. We have chosen a differenf definifion which says fhaf a sfrafegy has a 
cosf af mosf b if for every pafh generafed by fhe sfrafegy, every prefix of fhe pafh has 
cosf af mosf b. This means fhaf a sfrafegy cannof, for example, sfarf wifh execufing 
an action fhaf consumes more fhan b resources, and fhen ‘make up’ for fhis by 
execufing actions fhaf produce enough resources fo bring fhe fofal cosf of fhe pafh 
under b. If is however possible fo firsf produce enough resources, and fhen execufe 
an acfion fhaf cosfs more fhan b, so long as fhe cosf of fhe pafh is less fhan b. 

There are also many choices for fhe precise synfax of fhe logic and fhe frufh 
definifions of fhe formulas. For example, in several versions are given, infu- 
ifively corresponding fo considering resource bounds bofh on fhe coalifion A and 
fhe resf of fhe agenfs in fhe sysfem, considering a fixed resource endowmenf of A 
in fhe inifial sfafe which affecfs fheir endowmenf affer execufing some acfions, efc. 
In fhis paper we give a precise comparison of our logic wifh fhe varianfs of Cral 
infroduced in l)6il, and in fhe process solve an open problem sfafed in |( 6 l. In ifTOlfTH 
differenf synfax and semantics are considered, in which fhe resource endowmenf 
of fhe whole sysfem is faken info accounf when evaluating a sfafemenf concerning 
a group of agenfs A. As observed in |(61, subfle differences in frufh condifions for 
resource logics resulf in fhe difference befween decidabilify and undecidabilify of 
fhe model-checking problem. In | 6 ], fhe undecidabilify of several versions of fhe 
logics is proved. Recenfly, even more undecidabilify resulfs were shown in [ 8 ]. 
The only decidable cases considered in |( 6 j are an exfension of Compufafion Tree 
Logic (CTL) |'9(| wifh resources (essenfially one-agenf ATL) and fhe version where 
on every pafh only a fixed finife amounf of resources can be produced. Similarly, 
ITO gives a decidable logic, PRB-ATL (Priced Resource-Bounded ATL), where 
the total amount of resources in the system has a fixed bound. The model-checking 
algorifhm for PRB-ATL runs in time polynomial in fhe sizes of fhe model and fhe 
formula, and exponenfial in fhe number of resources and fhe size of fhe represenfa- 
fion (if in binary) of fhe resource bounds. In ifTTll an EXPTIME lower bound in fhe 
number resources and in fhe size of fhe represenfafion (if in binary) of fhe resource 
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bounds is shown. 

The structure of this paper is as follows. In sections and we intro¬ 
duce Resource-Bounded ATL with production and consumption of resources, a 
model-checking algorithm for it, and prove that the model-checking problem is 
EXPSPACE-hard. This part of the paper extends £31. In section we discuss two 
special cases with feasible model-checking, one of them being a generalisation of 
the model-checking algorithm for (production-free) RB-ATE introduced in [2] to 
unbounded resources. In section]^ we give a detailed comparison with the logics 
in Ihi] and show that for one of them the model-checking problem is decidable, 
solving an open problem stated in 

2 Syntax and Semantics of RB±ATL 

The logic RB-ATE was introduced in O. Here we generalise the definitions from 
|2] to allow for production as well as consumption of resources. To avoid confusion 
with the consumption-only version of the logic from |21, we refer to RB-ATE with 
production and consumption of resources as RB±ATE. 

Eet Agt = {oi,..., an} be a set of n agents. Res = {resi,..., resr] be a set 
of r resources, H be a set of propositions and B = be a set of resource bounds 
where Noo = N U {oo}. 

Eormulas of RB±ATE are defined by the following syntax 

where p G H is a proposition, A C Agt, and 6 G H is a resource bound. Here, 
{{A^))Q)cj) means that a coalition A can ensure that the next state satisfies cp under 
resource bound b. {{A^))0(j) means that A has a strategy to make sure that </> is 
always true, and the cost of this strategy is at most b. Similarly, {{A^))(pU ip means 
that A has a strategy to enforce ip while maintaining the truth of (p, and the cost of 
this strategy is at most b. 

We extend the definition of a concurrent game structure with resource con¬ 
sumption and production. 

'intuitively, the main difference between our logic (with a decidable model-checking problem) 
and a version of RAL from (6) where the model-checking problem is undecidable under infinite se¬ 
mantics (considering only infinite computations) is that in our logic, each agent always has an option 
of executing an idle action which does not consume any resources. This means that a finite strategy 
which conforms to a resource bound and enforces a particular outcome can always be extended to 
an infinite strategy by chosing the idle action. The model-checking problem for the same version of 
RAL but under finite semantics (considering finite computations) turns out also to be decidable, and 
a model-checking algorithm for it is obtained as an easy adaptation of the model-checking algorithm 
for our logic. 
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Definition 1. A resource-bounded concurrent game structure (RB-CGS) is a tuple 
M = {Agt, Res, S, H, tt, Act, d, c, 5) where: 

• Agt is a non-empty set of n agents, Res is a non-empty set of r resources 
and S is a non-empty set of states; 

• n is a finite set of propositional variables and tt : 11 —)■ p{S) is a truth 
assignment which associates each proposition in IT with a subset of states 
where it is true; 

• Act is a non-empty set of actions which includes idle, andd : S x Agt —)■ 
p{Act) \ {0} is a function which assigns to each s G S a non-empty set of 
actions available to each agent a G Agt. For every s G S and a G Agt, 
idle G d{.s, a). We denote joint actions by all agents in Agt available at s 
by D{s) = d{s, ai) x • • • x d{s, On); 

• c : S X Agt x Act -G T/ is a partial function which maps a state s, an 
agent a and an action a G d(s, a) to a vector of integers, where the integer 
in position i indicates consumption or production of resource resi by the 
action (positive value for consumption and negative value for production). 
We stipulate that c{s, a, idle) = Ofor all s G S and a G Agt, where 0 = 0^. 

• 6 : S X -G S is a partial function that maps for every s G S and 

joint action a G D{s) to a state resulting from executing a in s. 

Given a RB-CGS M, we denote the set of all infinite sequenees of states (infi¬ 
nite eomputations) by S‘^ and the set of non-empty finite sequenees (finite eompu- 
tation) of states by S'"''. For a eomputation A = sqsi ... G S‘^ we use the notation 
A[f] = Si and X[i,j] = Si... Sj. 

Given a RB-CGS M and a state s G S, a joint action by a coalition A C Agt 
is a tuple a = (cra)aGA (where aa is the aetion that agent a exeeutes as part of a, 
the ath eomponent of a) sueh that aa G d{s, a). The set of all joint aetions for A at 
state s is denoted by Da{s). Given a joint aetion by the grand eoalition a G D{s), 
a A (a projeetion of a on A) denotes the joint aetion exeeuted by A as part of a: 
a A = (ca)aeA- The set of all possible outeomes of a joint aetion a G Da{s) at 
state s is: 


out{s, it) = {s' G 5 I 3cj' G D{s) : a = g'a F s' = 5{s, a')} 

In the sequel, we use the usual point-wise notation for veetor eomparison and 
addition. In partieular, (bi,... ,br) < [di,..., dr) iff 6* < d* V i G {1,..., r}, 
and (bi,... ,br) + {di,..., dr) = (6i -|- di,..., 6^ + dr). We assume that for 
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any b G N, b < oo and 6 + oo and oo — b = oo. Given a function / returning 
a vector, we also denote by fi the function that return the i-th component of the 
vector returned by /. 

The cost of a joint action a G Da{s) is defined as costA{s, a) = 
a, fJa) and the subscript A is omitted when A = Agt. 

Given a RB-CGS M, a strategy for a coalition A C Agt is a mapping Fa ■ 
-A Act^^^ such that, for every As G S~^, F^(As) G Da{s). A computa¬ 
tion A G 5^^ is consistent with a strategy Fa iff, for all i > 0, A[i + 1] G 
ouf(A[f], F^(A[0, f])). We denote by out{s, Fa) the set of all computations A start¬ 
ing from s that are consistent with Fa- 

Given a bound b G B, a computation A G out{s, Fa) is 6-consistent with Fa 
iff, for every i > 0, 

i 

J2costA{X[j],FAiX[0,j])) < b 

j=0 

Note that this definition implies that the cost of every prefix of fhe compufafion is 
below b. 

The sef of all compufafions sfarfing from sfafe s fhaf are 6-consislenl wifh Fa 
is denoted by out{s, Fa, b). Fa is a 6-slrategy iff out{s, Fa) = out{s, Fa, b) for 
any sfafe s. 

Given a RB-CGS M and a sfafe s of M, fhe frufh of a RB±ATL formula f 
wifh respecf fo M and s is defined inductively on fhe sfrucfure of <p as follows: 

• M, s 1= p iff s G 7r(p); 

• M, s 1= -10 iff M, s ^ 

• M, s 1= V yi iff M, s |= i;f) or M, s \= f', 

• M, s \= {{A^)) O </> iff 3 6-slrategy Fa such fhaf for all A G out{s, Fa)'- 
M,A[1] !=(/.; 

• M, s 1= {{A^))of iff 3 6-slrategy Fa such fhaf for all A G out{s, Fa) and 
i > 0: M, A[f] 1= (j)', and 

• M, s 1= {{A^))(j)ly{ Ip iff 3 6-sfrafegy Fa such fhaf for all A G out{s,FA), 
3i > 0: M, A[i] |= fi and M, A[j] |= (p for all j G {0,..., i — 1}. 

Since fhe infinite resource bound version of RB±ATL modalities correspond 
fo fhe sfandard ATL modalities, we will write {{A°°))(f)(p, {{A°°))<pU {{A°°))D(p 

as {{A))Q)(p,{{A))(pU 'ip,{{A))n(p, respectively. When fhe confexf is clear, we will 
sometimes wrife s\= (p instead of M, s \= (p- 
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<a, idle) 


(idle, idle) 



Figure 1: An example with consumption and production of resources. 


Note that although we only consider infinite paths, the condition that the idle 
action is always available and costs 0 makes the model-checking problem easier 
(we only need to find a sfrafegy wifh a finife prefix under bound b fo safisfy formu¬ 
las of fhe form {{A^))Q)(f> and {{A^))(j)ly( ifj, and fhen fhe sfrafegy can make fhe idle 
choice forever). 

As an example of fhe expressivify of fhe logic, consider fhe model in Fig¬ 
ure [T] wifh fwo agenfs oi and 02 and fwo resources ri and r 2 . Lef us assume fhaf 
c{sj,ai, a) = (— 2 , 1 ) (acfion a produces 2 unite of ri and consumes one unif of 
r 2 ), c(s,a 2 ,/ 3 ) = (1,—1) and c(s, ai, 7 ) = (5,0). Then agenf oi on ifs own has 
a sfrafegy fo enforce a sfafe safisfying p under resource bound of 3 unifs of ri and 
1 unif of r 2 {M,si ^ (({ai}^^’^^))Tff p): ai has fo selecf acfion a in si which 
requires if fo consume one unif of r 2 buf produces fwo unifs of ri, and fhen acfion 
7 in s fhaf requires 5 unifs of ri which is now wifhin fhe resource bound since 
the previous action has produced 2 units. All outcomes of this strategy lead to s' 
where p holds. After this, ai has to select idle forever, which does not require 
any resources. Any smaller resource bound is not sufficient. However, both agents 
have a strategy to enforce the same outcome under a smaller resource bound of just 
one unit of r 2 (M, sj ^ (({ai, a 2 }^°’^^))T(f p): agent 02 needs to select /3 and ai 
idle in s until the agents have gone through the loop between s/ and s four times 
and accumulated enough of resource ri to enable agent ai to perform 7 in s. 

3 Model Checking RB±ATL 

The model-checking problem for RB±ATL is the question whether, for a given 
RB-CGS structure M, a state s in M and an RB±ATL formula (f)Q, M, s ^ (/>o. In 
this section we prove the following theorem: 
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Theorem 1. The model-checking problem for RB^rATL is decidable. 


To prove decidability, we give an algorithm which, given a structure M = 
{Agt, Res, S, IT, vr, Act, d, c, 6) and a formula fo, returns the set of states [4>o]m 
satisfying fg: [(?!>o]m = {s \ M, s \= fo} (see Algorithm [^. 

Algorithm 1 Labelling fo 

function rb±atl-label(M, fo) 
for f G Sub{(l)o) do 

case (/>' = p, ^4>, fA'f, {{A))0(l), {{A))4>U V', ((A))n(/> 
standard, see |4] 
case 4>' = {{A^))Q4> 

[f']M A- Pre{A, 
case f = {{A'^))(j)U ijj 
[0^]m ^— { s I s G S'A 

UNTIL-STRATEGY(nodeo(s, b), {{A^))(j)U f)} 
case f = {{A’^))n(j) 

W]m <- { s I s G S' a BOX-STRATEGY(nodeo(s, b), ((A^))n(/))} 
return [fflu 


Given ^o, we produce a set of subformulas Sub{(j)Q) of (j)Q in the usual way, 
however, in addition, if ((A ^))7 G Sub{4>), its infinite resource version {{A))'j is 
added to Sub{(j)). Sub{(l)) is ordered in increasing order of complexity, and the 
infinite resource version of each modal formula comes before the bounded version. 
Note that if a state s is not annotated with {{A))^ then s cannot satisfy the bounded 
resource version {Ah 

We then proceed by cases. For all formulas in Sub{4>) apart from {{A’^)) Qf, 
{{A^))(I)U Ip and {{A’^))Ocj) we essentially run the standard ATL model-checking 
algorithm |4]. 

Labelling states with makes use of a function Pre{A, p, b) which, 

given a coalition A, a set p C S' and a bound b, returns a set of states s in which 
A has a joint action a a with cost{s, (Ja) <b such that out{s, a a) P P- Labelling 
states with {{A^))(j)U ip and {{A^))np is more complex, and in the interests of read¬ 
ability we provide separate functions: UNTIL-STRATEGY for {{A^))(pU ip formulas 
is shown in Algorithm]^ and BOX-STRATEGY for {{A^))n(p formulas is shown in 
Algorithm]^ 

Both algorithms proceed by depth-first and-or search of M. We record infor¬ 
mation about the state of the search in a search tree of nodes. A node is a structure 
which consists of a state of M, the resources available to the agents A in that state 
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(if any), and a finite path of nodes leading to this node from the root node. Edges 
in the tree eorrespond to joint aetions by all agents. Note that the resourees avail¬ 
able to the agents in a state s on a path eonstrain the edges from the eorresponding 
node to be those aetions a a where cost{s, cja) is less than or equal to the available 
resourees. For eaeh node n in the tree, we have a funetion s{n) whieh returns its 
state, p(n) whieh returns the nodes on the path and ei{n) whieh returns the re- 
souree availability on the t-th resouree in s{n) as a result of following p{n). The 
funetion nodeo{s,b) returns the root node, i.e., a node no sueh that s(no) = s, 
p{no) = [ ] and ej(no) = bi for all resourees i. The funetion node{n,a, s') re¬ 
turns a node n' where s{n') = s', p{n') = \p{n) • n] and for all resourees i, 
ei{n') = ei{n) - costi{a). 

Both UNTIL-STRATEGY and BOX-STRATEGY take a seareh tree node n and a 
formula (f)' G Sub{4>o) as input, and have similar strueture. They first eheek if the 
infinite resouree version of (f)' is false in the state represented by node n, s(n). If 
so, they return false immediately, terminating seareh of the eurrent braneh of the 
seareh tree. UNTIL-STRATEGY also returns true if the seeond argument i/; of cj)' is 
true in s{n). Both UNTIL-STRATEGY and BOX-STRATEGY eheek whether the state 
s{n) has been eneountered before on p{n), i.e., p{n) ends in a loop. In the case 
of UNTIL-STRATEGY, if the loop is unproductive (i.e., resource availability has not 
increased since the previous occurrence of s{n) on the path), then the loop is not 
necessary for a successful strategy, and search on this branch is terminated. If on 
the other hand the loop strictly increases the availability of at least one resource 
i and does not decrease the availability of other resources, then ei{n) is replaced 
with oo (as a shorthand denoting that any finite amount of i can be produced by 
repeating the loop sufficiently many times). If all resource values have been re¬ 
placed by oo, UNTIL-STRATEGY returns true, since the branch satisfies the infinite 
resource version {{A))(j)U i/; of 4>', and an arbitrary amount of any resource can be 
accumulated along the path. For BOX-STRATEGY the loop check is slightly differ¬ 
ent. If the loop decreases the amount of at least one resource without increasing 
the availability of any other resource, it cannot form part of a successful strategy, 
and the search terminates returning false. If a non-decreasing loop is found, then 
it is possible to maintain the invariant formula cj) forever without expending any 
resources, and the search terminates returning true. 

If the none of the if statements evaluates to true, then, in both UNTIL-STRATEGY 
and BOX-STRATEGY, search continues by considering each action available at s(n) 
in turn. For each action a G Act A, the algorithm checks whether a recursive call 
of the algorithm returns true in all outcome states of a (i.e., a is part of a successful 
strategy). If such a cr is found, the algorithm returns true. Otherwise the algorithm 
returns false. Note that the argument (()' is passed through the recursive calls un¬ 
changed: information about the resources available to the agents in s{n) as a result 



of following p{n) is encoded in the search nodes. 


Algorithm 2 Labelling {{A^))(j)Ll ip 

function UNTIL-STRATEGY(n, {{A^))(pUip) 
if s{n) ^ {{A))(pU Ip then 
return false 

if 3n' G p{n) : s(n') = s{n) A (Vj : ej(n') > ej{n)) then 
return false 

for i G {i G Res \ 3n' G p(n) : s{n') = s{n) A (Vj : ej{n') < ej{n)) A 
ei(n') < ei{n)} do 
ei{n) •(— oo 
if s{n) 1= Ip then 
return true 
if e(n) = ob then 
return true 

ActA {fj G Dy[{s{n)) \ cost{s{n),a) < e(n)} 
for cr G ActA do 
O out{s{n),a) 
strat t— true 

for s' G O do 

strat •(— stratA 

UNTlL-STRATEGY(node(n, a, s'), {{A'^))(pU ip) 

if strat then 

return true 
return false 


Lemma 1. Algorithm^terminates. 

Proof. All the cases in Algorithm 0 apart from {{A^))cpLlip and {{A^))D(p can 
be computed in time polynomial in |M| and \(p\. The cases for {{A^))(pUip and 
{{A^))D(p involve calling the UNTIL-STRATEGY and BOX-STRATEGY procedures, 
respectively, for every state in S. We want to show that there is no infinite se¬ 
quence of calls to UNTIL-STRATEGY or BOX-STRATEGY. Assume to the contrary 
that ni, 77,2 ,... is an infinite sequence of nodes in an infinite sequence of recur¬ 
sive calls to UNTIL-STRATEGY or BOX-STRATEGY. Then, since the set of states 
is finite, there is an infinite subsequence ... of ni,n 2 , ■ ■ ■ such that for 

all j, s{ni.) = s for some state s (the state is the same for all the nodes in the 
subsequence). We show that then there is an infinite subsequence re'^, n' 2 ,... of 
ni^,ni 2 , ■ • • such that for k < j, e{n'f) < e{n'j). Note that since all nodes have 
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Algorithm 3 Labelling ((A^))n0 

function BOX-STRATEGY(n, ((A^))n0) 
if s{n) ^ {{A))0(j) then 
return false 

if 3n' G p{n) : s{n') = s(n)A(Vj : ej{n') > ej{n))A{3j : ej{n') > ej{n)) 

then 

return false 

if 3n' G p{n) : s(re') = s{n) A (Vj : ej{n') < ej{n)) then 
return true 

ActA •(— {fj G DA{s{n)) \ cost{s{n)^a) < e(n)} 
for a G ActA do 
O ^ out{s{n),a) 
strat A- true 

for s' G O do 

strat ■<— strat A 

BOX-STRATEGY(node(n, a, s'), ((A^))n^) 
if strat then 
return true 
return false 


the same state, this implies that both UNTIL-STRATEGY or BOX-STRATEGY will 
return after finitely many steps: a contradiction. The proof is very similar to the 
proof of Lemma f in llT4l p.70] and proceeds by induction on the number of re¬ 
sources r. For r = 1, since e(n) is always positive, the claim is immediate. As¬ 
sume the lemma holds for r and let us show it for r -|- 1. Then there is an infinite 
subsequence ... of ni^^rii^,... where for all resources i G {1,... ,r} 

ei{m'^) < ei{m'j) for k < j. Clearly there are two nodes m'-^ and m'-^ in this 
sequence such that er+i(m'-^) < er.+i(m'^) (since there are only finitely many 
positive integers which are smaller than er+i{mi)). Hence e(m'-^) < e{mj^) and 
the sequence of calls would terminate in m' ^, a contradiction. □ 

Before we prove correctness of UNTIL-STRATEGY and BOX-STRATEGY, we 
need some auxiliary notions. Let n be a node where one of the procedures returns 
hue. We will refer to tree{n) as the hee representing the successful call to the 
procedure. In particular, if the procedure returns hue before any recursive calls are 
made, then tree{n) = n. Otherwise the procedure returns true because there is an 
action a G ActA such that for all s' G out{s{n), a) the procedure returns hue in 
n' = node{n, a, s'). In this case, tree{n) has n as its root and hees tree{n') are 
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the children of n. We refer to the action a as Uact (the action that generates the 
children of n). For the sake of uniformity, if tree{n) = n then we set Uact to be 
idle. Such a tree corresponds to a strategy F where for each path n - ■ -m from the 
root n to a node m in tree{n), F{s{n) ■ ■ ■ s{m)) = mact- 

A strategy F for satisfying {{A^))(I>1{ is If-economical for a node n if, intu¬ 
itively, no path generated by it contains a loop that does not increase any resource. 
A strategy is D-economical for a node n if, intuitively, no path generated by it 
contains a loop that decreases some resources and does not increase any other re¬ 
sources. Formally, a strategy F is ff-economical for n if 

• F satisfies {{A^^"''>))(j)U 'ip at s(n), i.e., F is a e(n)-strategy and VA G 
out{s{n),F), > 0 : A[i] |= ip and A[j] |= (p for all j G {0,..., i} 

• The pathp(n) • n is already ff-economical, i.e., Vn' G p{n) ■ n, n” G p{n') : 
s{n") = s(n') ^ e{n") pt e(n'); 

• Every state is reached by F ff-economically, i.e., for each computation 
sqSi ... Sk ■ ■ ■ G out{s{n), F) and j < k < i where i is the first index such 
that Si satisfies ^p, Sj = Sfc cost{sj ... s^) ^ 0 with cost{sj ... s^) = 

A[^], F(A[0, (])); and 

• Every state is reached by F ff-economically with respect to the path p{n), 
i.e., for every computation so^i ■ ■ - Sk ■ ■ ■ G out{s{n),F), Mn' G p{n) : 
s{n') = Sk ^ e{n') pp e(n) — cost{so ... Sk) 

A strategy F is D-economical if: 

• F satisfies ))□(/> at s{n), i.e., F is a e(n)-strategy and VA G 

out{s{n), F), Vi > 0 : A[i] |= (p\ 

• The pathp(n) • n is already D-economical, i.e., Vn' G p{n) ■ n, n" G p{n') : 

s(n") = s(n') e(n") e(n'); 

• Every state is reached by F D-economically, i.e., for each computation 
sqSi ... Sk ■ ■ ■ £ out{s{n), F) \/j<k: Sj = Sk ^ cost{sj ... Sk) 0; 

• Every state is reached by F D-economically with respect to the path p{n), 
i.e., for every computation so^i ■ ■ - Sk ■ ■ ■ G out{s{n),F), Vn' G p{n) : 
s{n') = Sk ^ e(n') ^ e(n) — co.st{so ... Sk). 

Note that any strategy F satisfying cpU ■0 (((A®("')))D0) at s(n) can be 

converted to an economical one by eliminating unproductive loops: 

Proposition 1. There is a strategy to satisfy {{A^^"^^))cpU 0 ( ((A®("')))D0j at s{n) 
iff there is an economical strategy to satisfy {{A^^'^'>))4>U 0 ( ((A®(''^))D0j at s{n). 
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Next we prove correctness of UNTIL-STRATEGY. The next lemma essentially 
shows that replacing a resource value with oo in Algorithmis harmless. For the 
inductive step of the proof, we need the following notion. Given a tree tree{n), 
we call its pruning, denoted as prune{tree{n), mi, ..., m^), the tree obtained by 
removing all children of some nodes mi ,..., mu that have only leaves as children 
in tree{n). 

Lemma 2. Let n = nodeo(s, b) be a node where UNTIL-STRATEGY returns true. 
Let f be a function that for each leaf n' oftree{n) returns f{n') G such that 
fi{n') = ei{n') if ei{n') 7 ^ 00 (fi{n') can be any natural number if ei{n') = ooj. 
Then, there is a strategy F such that for every leaf n' of the tree tree{n) induced 
by F, e(n') > /(n') holds. 

Proof. By induction on the structure of tree{n). 

Base Case: Let tree{n) contain only its root. The proof is obvious for any strat¬ 
egy- 

inductive Step: Let us consider a pruning T of tree{n). By the induction hypoth¬ 
esis, any tree T' that has a less complex structure than T has a strategy to 
generate at least f{n') G < e(n') for all leaves n' of T'. 


n 



Figure 2: Tree T and T' = prune{T, m). 

In the following, given nodes n, ni,..., Uk, we denote by n{ni,..., Uk) the 
depth-1 tree which has n as its root and ni,..., as the immediate leaves 
of n. 

Let m{mi,..., m^) be an arbitrary depth-1 sub-tree of T (see Figure]^. By 
removing mi,..., mu from T, we obtain a pruning T' of T. 
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Let n - ■■ m ■ rrii be a path in T from the root n to one of the leaves rrii. For 
each resource r the availability of which turns to oo at rrii, there must be 
a node, denoted by Wr{mi), in the path n - ■ - m ■ rrii which is used to turn 
the availability of r to oo at rrii, that is, Wrinii) is such that s{wr{mi)) = 
s{mi), ei{wr{mi)) < ei{mi) for each i, and er{wr{'mi)) < er{mi). We 
may repeat the path from Wr{mi) to rrii several times to generate enough 
resource availability for r. We call the path from Wr{mi) to rrii together 
with all the immediate child nodes of those along the path the column graph 
from Wr{mi) to rrii. Each time, an amount of gr = er{m) — costrirriact) — 
er{w{mi)) is generated. Then, the minimal number of times to repeat the 
path from m(mj) to is hr (rrii) = \ ^~)) ~| _ 

Note that we need to repeat at each rrii for each resource r the path from 
Wr{mi) to rrii hr{mi) times. To record the number of times the path has 
been repeated, we attach to each rrii a counter hr {mi) for each r and write 

the new node of as 


m 



Figure 3: Repeating steps to generate resources. 


Initially, hr{mi) = 0 for all r and for all nodes m*. A step (see Figure 
31 of the repetition is done as follows: let be some node such that 

hr{mi) < hr{mi). Fet be the sibling of {j / i). We extend 

from the column graph from Wr{mi) to mi, each new mj (j ^ i) 

is annotated with h{mj) (same as before) and the new m* is annotated with 
h{mi) except that hr{mi) is increased by 1. We repeat the above step until 
hr {mi) = hr {mi) (it must terminate due to the fact that hr {mi) < oo for all 
r and m*). 

At the end, we obtain a tree where all leaves have hr {mi) = hr {mi) 
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for all r, hence the availability of r is at least fr- Let E{m) be the extended 
tree from m. 

Let Fti be the strategy generated by T'. We extend Ft' 'with F{m) for every 
occurrence of m in Ft' and denote this extended strategy F®,. For all leaves 
m' in F{m) other than m*, let sub{T, m') be some sub-tree of T staring from 
m!. Then, we extend with sub{T, m') for every occurrence of m! in F^,. 

We finally obtain a tree Ft which satisfies fhe condifion fhaf all leaves I have 
resource availabilify of af leasf f{l). 


□ 

Corollary 1. //■ UNTlL-STRATEGY(nodeo(s, 6), returns true then 

s ^ {{A^))^Uip. 

Lemma 3. ^UNTlL-STRATEGY(n, {{A^)) cfiU ip) returns false, then them there is 
no strategy satisfying {{A^^^'l))(j)U f from s{n) that is lA-economical for n. 

Proof We prove fhe lemma by inducfion on fhe heighf in fhe recursion free of 
until-strategy( ) calls. 

Base Case: If false is refurned by fhe firsf if-sfafemenf, fhen s{n) ^ {{A))(t)Uf', 
fhis also means fhere is no sfrafegy satisfying {{A^^'^'l))(j)U from s{n). 

If false is relumed by fhe second if-sfalemenf, fhen any sfrafegy salisfying 
ijj from s (n) is nol economical. 

Inductive Step: If false is not returned by the first two if-statements, then, 
for all actions a G Act A, there exists s' G out{s{n),a) such that 
UNTlL-STRATEGY(n', V’) (where n' = node{n,a,s')) returns 

false. By induction hypothesis, there is no strategy satisfying ((A^^"’ 'l))(j)U ijj 
from s(n') that is Z^-economical for n'. Assume to the contrary that 
there is an economical strategy satisfying ip from s{n). Let 

a = F(s(n)), then a G ActA. Obviously, for all s' G out{s{n),a), 
F'(A) = F(s(n)A) is an economical strategy from n! = node{n,a, s'). 
This is a contradiction; hence, there is no strategy satisfying {{A^^^'^))(j)U ip 
from s{n) that is Z^-economical for n. 

□ 

Corollary 2. If V'^iTl'L-^.l'KAlEGY{nodeQ{s,h) , {{A^))cpU 'ip) returns false then 
s ^ {{A^))(PUip. 

Now we turn to Algorithm]^ for labelling states with {{A^))n(p. First we show 
its soundness. 
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Lemma 4. Let n = nodeo(s,b). If BOX-STRATEGY(n, {{A^))D(p) returns true 
then s{n) ^ {{A^))Of. 

Proof. Recall that, for each node m in tree{n), we denote by sub{tree{n), m) the 
sub-tree of tree{m) rooted at m. For each leaf m of tree{n), let w{m) denote one 


n 



Figure 4: w{m) of m in tree{n). 

of the nodes in p(m) such that s(t(;(m)) = s{m) nnAe{w{m)) < e(m) (see Figure 

El- 

Let us expand tree{n) as follows: 

• T° is free(n); 

• is T* where all its leaves m are replaced by sub{tree{n), w{m)) (see 
Figure]^. 

Let T = limj^oo T^, then T is a strategy for {{A^))0(l). 

□ 

Lemma 5. 7/'BOX-STRATEGY(n, {{A^))^^) returns false, then there is no strategy 
satisfying {{A^^"^^)) Of from s (n) that is O-economical for n. 

Proof We prove the lemma by induction on the height in the recursion tree of 
box-strategy( ) calls. 

Base Case: If false is returned by the first if-statement, then s(n) ^ {{A))n(j)-, this 
also means there is no strategy satisfying ))□(/> at s(n). 

If false is returned by the second if-statement, then any strategy satisfying 
{{A^^^'>))Dcj) at s (n) is not □-economical. 

Inductive Step: If false is not returned by the first two if-statements, for 
all actions cr G ActA, there exists s' G out{s{n),a) such that 
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sub{tree{n),w{mi)) sub{tree{n),w{m 2 )) sub{tree{n),w{mk)) 


Figure 5: One step in constructing the strategy. 

BOX-STRATEGY(n', (where n' = node{n,a,s')) returns false. 

Assume to the contrary that there is a strategy F satisfying 
from s(re) that is D-economical for n. Let a = F{s{n)), then a G ActA. 
Obviously, for all s' G out{s{n),a), F'{X) = F{s{n)X) is a strategy □- 
economical for n' = node{n, a, s'). This is a contradiction; hence, there is 
no strategy satisfying from s{n) that is D-economical for n. □ 

□ 


Then, we have the following result directly: 

Corollary 3. BOX-STRATEGY(nodeo(s, 5), ((A^))n(/)) returns false then s ^ 

4 Lower Bound 

In this section we show that the lower bound for the model-checking problem for 
RB±ATL is EXPSPACE, by reducing from the reachability problem of Petri Nets. 
Note that the exact complexity of the reachability problem of Petri Nets is still an 
open question (although it is known to be decidable and EXPSPACE-hard, O). 
The exact complexity of the RB±ATE model-checking problem is also unknown. 
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Note that an upper bound for the RB±ATL model-checking problem would also 
be an upper bound for the reachability problem of Petri Nets due to the reduction 
below. Even an Ackermannian upper bound for this problem is still open lIT^ . 
This suggests that determining an upper bound for the RB±ATL model-checking 
problem is also a hard problem. 

A Petri net is a tuple N = {P, T, W, M) where: 

• P is a finite set of places; 

• T is a finite set of transitions; 

• kE:PxTUTxP—)-Nisa weighting function; and 

• M : P —)• N is an initial marking. 

A transition f G T is M-enabled iff W{r,t) < M{r) for all r € P. The 
result of performing f is a marking M' where M'{r) = M{r) — W (r, t) + W{t, r), 
denoted as M [f) M'. 

A marking M' is reachable from M iff there exists a sequence 


Mo ih) Ml [ta) ... [tn) Mn 

where Mq = M and n > 0 such that M„ > M' (where M > M' iff M(r) > 
M'{r) for all r G P). It is known that the lower bound for the complexity of this 
version of the reachability problem (with M„ > M' rather than M„ = M') is 
EXPSPACE m P-V3]. 

We present a reduction from an instance of the reachability problem of Petri 
Nets to an instance of the model-checking problem of RB±ATE. 

Given a net N = (P, T, W, M) and a marking M', we construct a RB-CGS 
In,m' = ({!}> “S') {p}) d, c, 5) where: 

• S = {so} UTU {s,e}; 

• 7r(p) = {s}; 

• Act = {idle, good} U {t~ \ t ^ T}', 

• d{so, 1) = {idle, good} U {t~ \ t G Tj; 

• d{s, 1) = d{e, 1) = {idle}', 

• d{t, 1) = {idle, P*"} for all t e T', 

• c{x, idle) = 0 for all x G S'; 
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• c(so 5 good) = M'\ 

• c,.(so, t“) = VF(r, t) for all r G P; 

• c,.(so, for all r G P; 

• (5(x, idle) = e for X G S \ {s}; 

• S{s, idle) = S', 

• 6{so,good) = S', 

• (5(so; i~) = t for all t e T; 

• 5{t, P*") = So for all t e T. 

The following is straightforward: 

Lemma 6. Given a net N = (P, T,W,M) and a marking M', M' is reachable 
from M iff In,M', so N {{l^))TUp. 

Proof. (=^): Assume that M' is reaehable from M, then there exists a sequenee 

Mo [fl) Ml [t2) . . . [tn) Mn 

where Mq = M and n > 0 sueh that > M'. 

Then, we eonsider the following strategy F for agent 1: 
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• -F(so) = , note that M > c(so, ), additionally 5 (so, ) = ti; 

• F{soti) = note that M — (c(so, ^r)+ ^i")) => 0, additionally 

S{ti,tf) = So; 

• F(sotiso) = t2, note that c(so,t2 ) — ^ ~ ('^(■soi^r) + + 

€(50,^2)) = "^1 “ c(so,t2 ) — 0 ’ additionally ( 5 (so,t 2 ) = ^2; 

• F(sotiSot2) = t2, note that M - {c{so,t^) + c(ti,t+) + €(50,^2) + 
c(t2,i^)) = M2 > 0 , additionally ( 5 (t 2 ,i^) = so; 


• -F(sotiSot2 • • • Sotn) = t'^, note that M-(c(so,ti ) + c{ti,tf)+c{so,t 2 ) + 
c{t 2 ,t 2 ) + ... + c{so,t~) + c(tn,tn)) = Mn > M' > 0, additionally 
< 5 (^ 71 ; tn) ~ '^05 

• F(sotiSot 2 • • • so^nSo) = good, note that c{so,good) = M', M — 
(c(so, tr) + c(tl, + c{so,t 2 ) + c{t 2 ,t^) + . . . + c(so, t“) + c{tn, + 
c{sQ,good)) = Mn — M' > 0, additionally 5{so,good) = s; 

Sinee s |= p, it is straightforward that F is a strategy satisfying ((1^))T^ p from 
So. 

(<;=): Assume that so |= {{l^))TUp, then there exists a strategy F whieh 
satisfies {{1^))TUp from sq. 

Sinee there is only one agent, out{so, F) eontains a single path sq ... s .... 
Obviously, e eannot be visited on the prefix sq ... s; henee sq ... s musf have the 
form sofiSof 2 • • • tn-so-s for some ti,... ,tn ^T. Furthermore, 

• F(so) = c(so,fr) ^ 

• F(sofi) = t'l, c{so,ti) + < M, 


• F(sofl . . . tn-lSo) = tn , c(so, ) + c{tiUt ) + •••+ c(so, ) < M, 

• F(sofl . . .fn-lSofn) = c{so,tl) + c{ti,tt) + ... + c(so,f“) + 

c{tn, tn) < M, and 

• F(sofl . . .fn-lSofnSo) =gOod, c(so, f ) + c(f 1, + • • • + c(so, ) + 

c{tn,ti) + M' < M. 

Therefore, 
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• ti is M-enabled, let Mi = M — (c(so, ) + c(ti, t^)), 

• t 2 is Ml -enabled, let M2 = Mi — (c(so, )+^(^2, = M—{c{so,ti) + 

c{ti,tf) -bc(so,i2 ) + c{t2,t^)), 


• tn is M„_i-enabled, let Mn = Mn-i - (c(so,t„) -b c(tn,t'^)) = M - 
{c{so,t^) + c{ti,tf) + ... +c{so,t-) +c{tn,t+)) > M'. 

Henee, we have M [ii) Mi [t 2 ) ... [tn) M„. As M„ > M', M' is reachable from 
M. □ 


We have the following result: 

Corollary 4. The lower bound for the model-checking problem complexity of 
RB±ATL is EXPSPACE. 

5 Feasible cases 

In the previous section, we have seen that the model-checking problem for 
RBihATL is EXPSPACE-hard. There are, however, several tractable special cases 
of the model-checking problem. Here we consider two of them: model-checking 
RBihATE with a single resource, and model-checking RB-ATE (RB±ATE with 
only consumption of resources). 

5.1 Model-checking RB±ATL with a single resource 

Eor the case when \Res\ = 1, the problem whether M,s ^ fo is decidable in 
PSPACE. 

Theorem 2. The upper bound for the model-checking problem complexity of 
RBEATL with a single resource is PSPACE. 

Proof. All the cases in Algorithm 0 apart from {{A^)) fU f and {{A^))nf can 
be computed in time polynomial in |M| and |0|. The cases for {{A^))(j)U f and 
{{A^))0(f) are more computationally expensive. They involve calling the UNTIL- 
STRATEGY and the BOX-STRATEGY procedures, respectively, for every state in S. 
The procedures explore the model in a depth-first manner, one path at a time. Their 
space requirement corresponds to the maximal length of such a path. Note that un¬ 
like depth-first search, UNTIL-STRATEGY and BOX-STRATEGY in the general case 
(multiple resources) do not terminate when they encounter a loop, that is a path 
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containing two nodes with the same state: ..., ni,..., n 2 where s(ni) = 5 ( 71 - 2 ), 
since in the general case e(ni) and e(n 2 ) may be incomparable. However, for a sin¬ 
gle resource, it will always be the case that either e(ni) = 6 ( 71 - 2 ), or e(?T.i) < 6 ( 712 ), 
or 6(711) > 6(712). Inspection of UNTIL-STRATEGY and BOX-STRATEGY shows 
that they will return in all of these cases. Hence, we never need to keep a stack of 
more than |5| nodes, which requires polynomial space. □ 

The result above can be generalised to the case when \Res\ > 1, but the for¬ 
mula 00 is of a special form, where at most one resource is non -00 in each bound. 
To be precise, 0o is such that in each resource bound b occurring in 0o, for at most 
one resource i, bi ^ 0. 

5.2 Model-checking RB-ATL 

In this section, we briefly revisit the problem of model-checking RB-ATL (the 
logic where only consumption of resources is considered). The syntax of RB- 
ATL is the same as the syntax of RB±ATL, and the models are the class of RB- 
CGS with no production of resource (all action costs are non-negative). We will 
refer to such models as RB-CGS~. A symbolic model-checking algorithm for that 
logic was introduced in lO (without infinite resource bounds). Here we re-state 
the algorithm and discuss upper and lower bounds on the complexity of RB-ATL 
model-checking. 

The algorithm uses an abbreviation split{b) that takes a resource bound b and 
returns the set of all pairs [d, d') G Nqo x Nqo such that: 

1. d + d' = b, 

2. di = d' = 00 for all 1 G {1,..., r} such that bi = 00 , and 

3. d has at least one non-0 value. 

We assume that split{b) is partially ordered in increasing order of the second com¬ 
ponent d! (so that if d^ < d' 2 , then {di,d[) precedes {d 2 ,d 2 ))- 

The algorithm is similar to the symbolic model-checking algorithm for ATL 
given in ||4l. The main differences from the algorithm for ATL is the addition of 
costs of actions, and, instead of working with a straightforward set of subformulas 
Sub{(j)o) of a given formula 0o, we work with an extended set of subformulas 
Sub'^{4io). S'7i6+(0o) includes Sub{(j)Q), and in addition: 

• if ((A^))n0 G Sub{cj)o), then ((A‘^'))n0 G S'it6+(0o) for all d' such that 
(d, d') G split{b)\ 
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• if G Sub{(pQ), then {{A^'))(pUip G Sub~^{4>Q) for all d! such that 

(d, d!) G split{b). 

We assume that S'u6^((/>o) is ordered in the increasing order of complexity and of 
resource bounds (so e.g., for b < b', {{A’^))\I\'iIj precedes {{A^'))^^!^). 

Theorem 3. Given an RB-CGS~ M = (Agt, Res, S, If, tt, Act, d, c, (5) and an 
RB-ATL formula fo, there is an algorithm which returns the set of states [</>o]m 
satisfying fo: [ 4 >o]m = {s | M, s |= fo}, which runs in time 0 {\ 4 >of x m) where 
r is \Res\ and m is the number of transitions in M, assuming that numbers in 
bounds are encoded in unary. 

Proof Let 0 ^ 6 be a vector where the ith component is oo if the ith component of 
b is oo, and 0 otherwise. Let Pre as before be a function which given a coalition A, 
a set p C S' and a bound b returns a set of states s in which A has a move a a with 
cost cost{s, a a) < b such that out{s, a a) G P- Consider Algorithm]^ Note that 
\split{b)\ is 0 {/ 3 ^), where (3 is the largest component occurring in b. If contains 
operators with bounds containing components other than 0 and oo, |Sm6'''((/>o)| is 
O(|(/>o| X I/?!'’), or O(|i?!)o| X |<?!>or) provided that vector components are encoded 
in unary. This moves the complexity from 0(|(?!>o| x m) as in |4| to 0{\(j)QY x m), 
where m is the number of transitions in M. See Q for the argument. □ 

6 Comparison with RAL 

In this section, we compare RB±ATL with the logics introduced in 0, in partic¬ 
ular with the logic pr-rf-RAL’. In @, it is shown that the model-checking prob¬ 
lem for pr-rf-RAL’ with infinite semantics is undecidable. The decidability of the 
model-checking problem for pr-rf-RAL’ with finite semantics is stated in |i6I| as 
an open problem. Here we show that model-checking for pr-rf-RAL’ with finite 
semantics is decidable. 

6.1 The logic pr-rf-RAL’ 

The logical language pr-rf-RAL’ is a proponent-restricted and resource-fiat version 
of RAL without the release operator (for a complete description of RAL and its 
variants, we refer the reader to [I6i| and its technical report version f2*| ; in fact the 
name pr-rf-RAL’ comes from fT]). 

The syntax of pr-rf-RAL’ is defined using endowment functions (or jusf endow- 
menfs) rafher fhan resource bounds. An endowmenf is a funcfion p : Agt x Res 
N U {oo}. We will sometimes wrife r/a(r) insfead of r]{a, r). Lef En denofe fhe sef 
of all possible endowmenfs. 
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Algorithm 4 Model-checking RB-ATL 
function rb-atl-label(M, (/iq) 
for (f)' G Sub'^{(j)) do 

case (f)' = p, -■(/>, (p A'ljj 
standard, see [4] 

case (j)' = {{A^))0(p [4 >']m a- Pre{A, [4 )]m, b) 

case 4>' = where b is such that for all i, bi G {0, oo}: 

p A- [false]M',T A- [V’Jm; 

while T % p do 

/9 ^ /9 U r; T ^ Pre{A, p, b) n [(/)]m 

od 

W\m a- p 

case (j)' = {{A^))(j)U ip where b is such that for some i, bi 0 {0, oo}: 
p A- [false]M',r A- [falseju 
foreach d' G {d' \ {d, d!) G split{b)} do 
r ^ Pre{A, [{{A'^'))(pl('ip]M,d) n [(P]m 

while T % p do 

p pU t;t A- Pre{A, p, 0 ^ 6) n [cP]m 

od 

od 

[4>']m a- p 

case <p' = {{A^))0<p where b is such that for all i, bi G {0, oo}: 
p ^ [true]M',T ^ [(P]m 
while p %T do 

P^t;t ^ Pre{A, p, b) n [(P]m 

od 

[(P']m a- p 

case (p' = {{A^))n(p where b is such that for some i, bi 0 {0, oo}: 
p A- [false]M\T^ [false]M 
foreach d' G {d' \ (d, d') G split{b)} do 
r ^ Pre{A, [{{A‘^'))\I\(p]M,d) n [(P]m 

while T % p do 

p •«— p U r; r ^ Pre{A, p, 0 ^ 6) n [cP]m 

od 

od 

[</>'] M ^ P 
return [(Pq]m 
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Formulas of pr-rf-RAL’ are defined as follows: 

::=p\^(f)\4iA'ilj\ {{A))'^04> \ {{A))^n4, \ {{AY(t>U'ip 

where p G If, A C Agt, A / 0 and g G En. 

Formulas of pr-rf-RAL’ are interpreted on resource-bounded models (RBM) 
which are CGS structures extended with resources except that transitions are in 
general not total, i.e., at a state, an agent is not required to have any available 
actions. This means that there may be a state in an RBM model which does not 
have any successor. An RBM is defined as follows: 

Definition 2. An RBM is a tuple M = {Agt, Q, If, tt, Act, d, o. Res, t) where Agt, 
Act, Q, n, Res, and o are defined as Agt, Act except that idle is not required to 
be in Act, S, If, Res, and 6, respectively, in Definition^and: 

• vr : (5 —)• p(n) specifies propositional valuation; 

• d : Agt x Q —)• p{Act) specifies available actions; 

• t : Act X Res -A Z for an action a G Act and a resource r G Res 
specifies the consumption of r by a ift{a,r) < 0 or the production of r 
by a ift{a,r) > 0. Let cons{a,r) = — min{0, t(a, r)} and prod{a,r) = 
max{0, t{a, r)}. 

Resource availability is modelled by resource-quantity mappings (rqm) p : 

Res —>■ ZU {oo}. 

Given a RBM M, Q-‘^ = Q‘^ U Q~^ denotes the set of all finite and infinite se¬ 
quences over Q. A sequence A G is a path in M iff there exist transitions in M 
between adjacent states in A. A finite or infinite sequence A = {qo,^^), {qi,rj^), ■ ■ • 
over Q X En is a resource-extended path (r-path) in M iff qoj • • • is a path in M. 

Given a coalition A, an endowment g and an rqm p, an (A, r?)-share for p is a 
function sh : A x Res -A N where: 

• Vr G Res : p{r) > 0 ~ 

• ya £ A,r £ Res : ga{r) > sh(a, r). 

Let Share(A, g, p) denote the set of all possible (A, pj-shares for p. It is straight¬ 
forward that Share(A, g, p) = % if hair) < p{r), i.e., resource endowment 
for agents in A is not enough to create a share. 

Given an endowment g and a strategy Fa for a coalition A, a maximal r-path 
= {qo,V^)j • • • of M is an {g, F^)-path starting from a state qo iff: 

• g^ = g', 
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• \/a £ A,r £ Res,i > 0,z < |A| : r/*(r) > 0; 

• Vi > 0, i < |A| — 1 : 3cj G D{qi) such that: 

- FAiqo ...qi) = a A', 

- o{qi,a) = qi+v, 

- 3shj G Share(^, ry,/o) : \/a £ A, r £ Res : = 

r]1{r) + prod((Ta,r) — shj(a, r) where p is such that p{r) = 
Eaevl -cons(CTa,r). 

Notice that as defined in |(6l, a path is maximal if it can be extended with sufficient 
available resources, then it must be extended. Then, out{qo, p, Fa) denotes the set 
of all (r/, F^)-paths starting from a state go- As shown by ||6l, out{qQ,p, Fa) is 
never empty. In the worst case, out{qo,p, Fa) contains a single r-path (go, p)- 
Given an RBM M and a state g, the truth of pr-rf-RAL’ formulas is defined 
inductively as follows (we omif fhe proposifional cases): 

• M,g \=rai {{Ap04>m3FA : VA G out{q,p,FA) : |A| > 2 AM, A[l] \=rai 

0 ; 


• M,q \=rai ((A))^n(/> iff 3Fa : VA G out{q,p, Fa) : |A| = oo A Vi > 0 : 
Af, A[i] I ral ‘^5 

• M,q \=rai {{A))"^4>U tp iff 3TA : VA G out{q,p,FA) : 3i > 0,i < |A| : 

M, A[i] \=rai V' A Vj > 0, j < i : M, A[j] KaZ <P- 

The definifion above gives finite semantics of pr-rf-RAL’. Infinite semantics is 
obfained if fhe condition “for all A G out{q, p, Fa)” above is replaced wifh “for all 
infinife A G out{q, p, Fa)”- 

Theorem 4. |7|/ The model-checking problem for pr-rf-RAL’ with infinite se¬ 

mantics is undecidable. 

The problem whefher model-checking for pr-rf-RAL’ wifh finife semanfics is 
decidable is leff open in 0. Below we show fhaf if is in facf decidable by adapfing 
fhe model-checking algorifhm for RB±ATL. Before we do fhis, we invesfigafe 
fhe differences befween pr-rf-RAL’ and RB±ATL in more defail. In parficular 
we consider whefher we can obfain a logic equivalenf fo pr-rf-RAL’ by simply 
removing fhe resfricfion fhaf agenfs always have af leasf fhe idle acfion available 
from fhe semanfics of RB±ATL. 


25 


6.2 The logic RB±ATL-nt 


As models for pr-rf-RAL’ are not total in general, we facilitate a comparison with 
RBihATL by introducing a variant RB±ATL-nt of RB±ATL where we remove the 
requirement of total transitions in Definition [T] In other words, RB±ATL-nt has 
the same syntax as RB±ATL yet a broader class, namely RB-CGS-nt, of models 
which do not need to be total. In particular, in Definition [T] Act does not need to 
include idle and d : S x Agt —)• p{Act) may be mapped to an empty set or to a set 
not containing idle. 

Obviously, any RB-CGS model is an RB-CGS-nt but not vice versa. Since 
RB-CGS-nt models are not total in general, at a state s, the set Da{s) of possible 
joint actions by a coalition A and the set of possible outcomes of a joint action 
o'A £ Da{s) may be empty. 

Given a RB-CGS-nt model M, a strategy Fa for a coalition A C Agt, a finite 
computation A G S~^ is consistent with Fa iff for all i G {0,..., | A| —2}: A[f-|-1] G 
out{X[i], F{X[0, z])) and DAgti^[\M “ 1]) = there is a deadlock at the last 

state of A. We denote by outf{s, Fa) the set of all consistent finite computations of 
Fa starting from s. Then, the set of all consistent finite and infinite computations 
of Fa from s is defined as: 

outnt{s,FA) = out{s,FA) u outf{s,FA) 

Under a resource bound b ^ B, a compufafion A G outnt{s, Fa) can be only 
carried ouf unfil an index imax £ Nqo (see Figure]^ iff: 

i 

^cosf(A[j],FA(A[0, j])) < 6 for all i ^ fmax 

J=0 

and 

^max 

'^COSt{X[j],FA{X[0,j])) ^ 6if fmax 7^ OO 

j=0 

Lef us denote X{b) = A[0,Zmax] and we call A(6) maximal wifh respecf fo b. 
Then, fhe sef of all 6-consistenf (finile or infinite) compufafions of Fa sfarfing from 
sfafe s is defined as follows: 

outnt{s,FA,b) = {X{b) I A G outnt{s,FA)} 

Nofe fhaf fhis definifion implies fhaf fhe cosf of every prefix of a 6-consisfenf com¬ 
pufafion is below b and outnt{s, Fa, b) may confain finife compufafions. Further¬ 
more, outnt{s, Fa, b) is always non-emply, as in fhe worsf case, if confains a single 
compufafion s. 
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Figure 7: A is restricted by b. 


The semantics of RB±ATL-nt formulas is defined as follows (the atomic case 
and Boolean connectives are defined in fhe sfandard way): 

• M,s \=nt iff 3 sfrafegy such fhaf for all A G outntis, F'^, b): 

|A| >2andM,A[l] ^ 

• M,s \=nt iff 3 sfrafegy such fhaf for all A G outnt{s, F'j^, b) 

and i > 0: |A| = oo and M, A[i] |= (f)', and 

• M,s \=nt V' iff 3 sfrafegy such fhaf for all A G outnt{s, F^, b), 

3i >0: i < |A|, M, A[f] |= V' and M, A[y] |= (j) for ally G {0,..., f — 1}. 

If fhe condifion “for all A G outnt{s, F'^^b)” is replaced wifh “for all infinile 
A G outntis, F^, 6)” in fhe frufh definilion of RB±ATL-nl, we obfain RB±ATL-nl 
wifh infinile semantics. Nole fhaf in a RB-CGS model M, if Fa is a 6-slralegy 
for a coalition A, we have fhaf outis,FA) = out{s, FA,b) = outntis, Fa) = 
outntis. Fa, b). We have fhe following resulf: 

Lemma 7. Given a RB-CGS model M, M,s |= (j)' iff M,s \=nt (k' under finite 
semantics. 

Proof. (=^) is obvious. For (<^=), the proof is by induction on the structure of . 

If = {{A^))0(j), we have that outntis, F'ff) = outntis, F^, b) because |A| = 
oo for all A G outntis, F'^,b); thus, F^ is a 6-strategy. 

If (j)' = {{A^))Q)(j), let us consider the following strategy for A\ 

^ _ I if G 5+ U 5"^ : AA' G ouf(s, F^^, 6) 

1 idle otherwise. 

It is straightforward that Fa is a 6-strategy to satisfy M, s |= {{A^))(f)(f> at s. 

If (f)' = iiA^))4>U f, the proof is similar to the above case, hence it is omitted 
here. □ 
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(a,/3) p 

o->o 

s t 

Figure 8: Comparing resource endowments and bounds. 

The above result shows that over the class of RB-CGS models, RB±ATL and 
RB±ATL-nt with finite semantics are equivalent. Furthermore, we have the fol¬ 
lowing result: 

Theorem 5, The model-checking problem for RB±ATL-nt with finite semantics is 
decidable. 

Proof. The model-checking algorithm for RB±ATL can be easily adapted to a 
model-checking algorithm for RB±ATL-nt. The only change required is in the 
function Pre{A, p,b) which becomes Pre{A, p,b) = {s G 5 | 3aA G Da{s) : 
cost{s,OA) < b f\ % out{s,aA) C p}. Here, we additionally require that 
out{s,aA)fi9- □ 

6.3 Comparing pr-rf-RAL’ and RB±ATL-nt 

At the semantical level, every RBM M = {Agt, Q, If, vr, Act, d, o, Res, t) can be 
converted straightforwardly into an RB-CGS M' = {Agt, Res, Q, H, vr', Act, d, c, 
6 ) where: 

• = {q ^ Q \ P ^ ^( 9 )} for all p G If; 

• c{q, a, a) = {—t{a, rfr^Res for all g G Q, a G Agt, a G Act, and 

• 6 = 0 . 

At the syntactical level, pr-rf-RAL’ and RB±ATL-nt are rather different. While 
pr-rf-RAL’ enables specifying the ability of a coalition under a resource endow¬ 
ment, RB±ATL-nt allows one to specify the ability of a coalition within a resource 
bound. Let us consider an example, as depicted in Figure in order to clarify the 
difference between endowments and bounds. In this example, our model has two 
agents a and b and one resource. From state s, agents a and b can only perform 
a and fi, respectively, which cost — c and c (for some c > 0), respectively. As 
their joint action is cost-free, we have that s \=nt {{{a, b}^))(f)p. However, given 
an empty endowment po = {ai—)-0}, there is no possible share from this 
endowment to cover the cost c of action /?; i.e., s ^rai (({oj b}))^°(f)p. The reason 
is that under 770 (s, rjo) is the only from s which is shorter that the computation s, t 
under 0. In general, we have the following result: 


28 



Lemma 8 . Given a RBM model M, for any state qo, strategy Fa, endowment rf 
and bound b = [Y^adA dairfraRes, then if {qq, 77 °), {qi,r]^),{qk,d^) ^ the 
prefix of some computation in out{qo, Fa), then qo, qi,... ,qk is also the prefix 
of some computation in ouintido, Fa, b). 

Proof The proof is done by induction on k', additionally, we also show that 

(EaeA ha{r))r&Res = b- cost{qj, FA{qi ■.. qj)). 

Base case A; = 0: The proof is trivial. 

Induction step: Assume that ■ ■ ■{(lk+i,h^^^) is the 

prefix of some computation in out{qo,p^, Fa)- Then, so is 
{qo,p^){qi,p^) ■ ■ ■ {qk,P^)- By induction hypothesis, we have that 
qo...qk is the prefix of some computation in outnt{qo, FA,b) and 
(EaeA Va{r))reRes = b - Y’jZo cost{qj , FA{qi - - - qj))- 

As {qo,V°){Qi,V^) ■ ■ ■{Qk+i,v’'^^) is a prefix, 

Share{A,p'^,{YaGA-t^°ns{FA{qo---qk)a,r))reRes) + 0, i-e., 

Ya&AVa{r) > YaeA-^°t^s{FAiqo■■■qk)a,r) for all r e Res', 
hence EasA^a^^W > YaeAPtO(i{FA{qo ■ ..qk)a,r) > 0. 

We also have {YaeAVa^^ir))r&Res = (YaeAiVair) + 
ptOd{FA{qo ■ ■ ■qk)a,r) - Shk{a,r)))reRes = {Ya^Aihaif) + 
pto6 {FA{qo...qk)a,r) + cons(F^(go • • • %)a, r)))r.ei?es = b- 
Y)=QCOst{qpFA{qi...qj)). Ya&A'n't^i'f) > 0 for all r E Res, 

b - Ei=o cost{qj,FA{qi ■ - - qj)) > 0, i.e., Y’j=o cost{qj, FA{qi - ■ ■ qf) < 
b, hence qo ■ ■ ■ qk+i is also a prefix of some computation in outnt{qo, Fa, b). 

□ 

As suggested by the function which translates resource bounds into endow¬ 
ments (introduced in fT| by Bulling and Farwer to relate their framework to RBCL 
ill), pr-rf-RAL’ formulas can also be converted into RB±ATL-nt formulas by a 
translation function tr which makes use of the inverse of p^ and is defined induc¬ 
tively as follows (propositional cases are omitted): 

• tr{{{A))^Of) = 

• tr{{{A))^'0(f)) = 

• tr{{{A))^(j)lJ f) = {{A^Z2aeAnair))reRes'jjff(^(jj^U 

Here, resource bounds are sums of individual endowments for each resource. The 
example in Figure and Lemma show that satisfiability is not preserved by the 
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translation function tr. In order to obtain preservation of satisfiability, it is neces¬ 
sary to relax the requirement in the definition of computations in RBM models. In 
particular, the last condition is relaxed as follows: 

• 3shj G Share(74, ??, p) : Va G r G Res : 'rf^^{r) = p* (r)-|-prod((Ta, r) — 
shi(a,r) where a = FA{qo---qi) and p{r) = EaeA(“Cons(o-a, r) - 
prod(cra,r)). 

Comparing the the original condition, the production of resource in a step is also 
considered to cover for the consumption in the same step by adding it into the 
share function. Let us call RBM models with this relaxed condition relaxed RBM 
models. We have the following result: 

Lemma 9. Given a relaxed RBM model M, for any state qo, strategy Fa, endow¬ 
ment rf and bound b = 'na{r))reRes, then: 

• ifiqo^rp), {qi^fl^), • ■ • e out{qQ,rp,FA), then go, 51, • • • £ out{qo, FA,b); 

• conversely, if qo,qi,... G outnt{qo, FA,b); then such that 

{qo,V°), {qi,ri^), • • • e out{qo,V°,FA). 

Proof Both directions are repetition of the proof of Lemma hence they are 
omitted here. □ 

Let pr-rf-RAL” be pr-rf-RAL’ interpreted over relaxed RBM models. We have 
the following result: 

Lemma 10. Given a relaxed RBM model M, M,s \=pr-if-RAL" 4^' W \=nt 

trif'). 

Proof Let us prove the direction from left to right. The other direction is similar. 
The proof is done by induction on the structure of f. The base case is trivial, hence 
omitted here. 

In the induction step, the cases of propositional connectives are trivial, hence 
they are also omitted. Let us consider the following three cases. 

(/>' = {{ApOf: Let b = {Y.a&AVa{r))r&Res and Fa be the strategy to satisfy 
f at s. For every go5i ■ ■ • G outnt{s, Fa, b) where s = go, by Lemma 
there are r4,7f such that (go, rf){qi,'r4) •.. G out{s, rj, Fa)- As M, s \=rai 
((A)) we have that M, gi 1=^^; f. By induction hypothesis, M', gi \=nt 
tr{4). Hence, M',s |= {{A^))Q)tr{(f)) 
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(/>' = {{A))^(I)U 'tjj: Let b = {J^aeA 'na{r))r&Res and Fa be the strategy to satisfy 
(j)' at s. For every q^qi ... G outnt{s, Fa, b) where s = qo, by Lemma 
there are 77 ^ such that {qo, rf){qi,ri^) ... G out{s, rj, Fa)- As M, s \=rai 
{{A))^(j)U r/), we have that 3i > 0 such that M, qj \=rai 4^ for all j < i and 
M, qi \=rai 4- By induction hypothesis, M', qj \=nt tr{(j)) for all j < i and 
M,qi \=rai 4- Hence, M',s \= {{A^))tr{4)U tr{4). 

4' = {{A))^n(l)-. Let b = {J2a&A'na{r))reRes and Fa be the strategy to satisfy 
(j)' at s. For every q^qi ... G outnt{s, Fa, b) where s = qo, by Lemma 
there are 77 ^ such that {qo, rf){qi,r4) ... G out{s, 77 , Fa)- As M, s \=rai 
{{A)44^ 4’ we have that {qo,'n^){qi,ri ^)... is infinite and M, qj \=rai 4 
for all j > 0. By induction hypothesis, M',qj \=nt tr{(j)) for all j > 0. 
Hence, M',s ^ {{A^))Otr{4)- 


□ 

The above lemma shows that over the class of relaxed RBM models, RB±ATL- 
nt and pr-rf-RAL” with finite semantics are equivalent. Similar to the above result, 
it is also straightforward that RB±ATL-nt with infinite semantics is equivalent to 
pr-rf-RAL” with infinite semantics: 

Lemma 11. Given a relaxed RBM model M, under the infinite semantics, 
M, S '^pr-rf-RAL" 4' W M', S |=„t tr{4')- 

Proofi The proof is the same as the proof of Lemma [TO] except we only consider 
infinite computations. □ 

Note that the proof for the undecidability of pr-rf-RAL’ in ||6l with infinite 
semantics can be applied for pr-rf-RAL” with infinite semantics. Hence, we have 
the following result: 

Lemma 12. Model-checking pr-rf-RAL” with infinite semantics is undecidable- 
Then, we have the following consequences: 

Corollary 5. Model-checking RBFATL-nt with infinite semantics is undecidable- 
Since model-checking RB±ATL-nt with finite semantics is decidable, we have: 
Lemma 13. Model-checking pr-rf-RAL” with finite semantics is decidable- 
Furthermore, the same result can also be established for pr-rf-RAL’: 

Theorem 6. Model-checking pr-rf-RAL’ with finite semantics is decidable- 
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Proof. We adapt further the model-checking algorithm for RB±ATL-nt where the 
lint Act A {cT G DA{s{n)) \ cost{a) < e(n)} in Algorithms[^and[^is replaced 
by ActA ^ {a € L»A(s(n)) | (XlieA cons((Ti, r)),.6Re^ < e(n)}. □ 

Figure summarises the above decidability and undecidability results for the 
model-checking problems for RB±ATL, RB±ATL-nt, pr-rf-RAL” and pr-rf-RAL’ 
where D stands for decidable and U for undecidable. Note that RB±ATL is decid¬ 
able in both semantics due to the fact that both semantics are indistinguishable 
thanks to idle. 


Semantics 

RBibATE 

RB±ATE-nt 

pr-rf-RAE” 

pr-rf-RAE’ 

Einite 

D 

D 

D 

D 

Infinite 

D 

U 

U 

US 


Figure 9: Decidability and undecidability results. 


7 Conclusion 

We have presented a model-checking algorithm for RB±ATL, a logic with resource 
production, which makes RB±ATL exceptional in the landscape of resource logics, 
for most of which the model-checking problem is undecidable miH. We compared 
RBibATL with a similar logic (a variant of RAL, |i61) to understand the differences 
between the two logics and why the model-checking problem for RB±ATL is de¬ 
cidable while the model-checking problem for pr-rf-RAL’ with infinite semantics is 
undecidable. As a by-product of this comparison, we show that the model-checking 
problem for pr-rf-RAL’ with finite semantics is decidable, solving a problem left 
open in Q. 

Although the model-checking problem for RB±ATL in decidable, it is 
EXPSPACE-hard. In future work, we plan to implement model-checking algo¬ 
rithms for feasible fragments of RB±ATE in the model-checker MCMAS lfT3l . 
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